maria-discuss team mailing list archive

[Honza Horak <hhorak@xxxxxxxxxx>]

Thanks for the feedback, Kolbe.

On 10/23/2015 06:41 PM, Kolbe Kegel wrote:
> I find the use of environment variables to hold passwords to be a really troubling feature of the way many Docker images are built and used.

I agree this is not a very good solution and we need to come up with 
something better, that will also work in kubernetes. If anybody knows 
about something handy, I'd be glad to hear about it. So far, we've just 
used what other images do, which is not ideal at all.

> In an environment where Docker linking is not used, perhaps the environment variable problem is somewhat less severe. But I'm really troubled by this statement:
>
> "Changing database passwords through SQL statements or any way other than through
> the environment variables aforementioned will cause a mismatch between the
> values stored in the variables and the actual passwords. Whenever a database
> container starts it will reset the passwords to the values stored in the
> environment variables."
>
> That sounds to me like a security catastrophe.

In cases user cares about keeping the container password unknown to 
other containers and docker daemon itself, the stack can be initialized 
with some init-only root password and changed afterwards. If I 
understand what your concern is, it's the reset of the password, right? 
I guess we may change that behavior to not do anything if password is 
not set and data directory is already initialized. Is it something what 
would help here from your point of view?

Honza

> Kolbe
>
> > On Oct 22, 2015, at 11:26 PM, Honza Horak <hhorak@xxxxxxxxxx> wrote:
> >
> > For those who are interested in containers, I'd like to share a Docker image that we've produced in Red Hat in cooperation with OpenShift guys. And will be really glad for any feedback you have.
> >
> > The image can be used in OpenShift or run directly. But what I find really interesting is a PoC implementation of master/slave, that is not documented as official feature yet, but it can be used as simple as that:
> >
> >   docker pull centos/mariadb-100-centos7
> >
> >   docker run -e MYSQL_MASTER_USER=master \
> >              -e MYSQL_MASTER_PASSWORD=master \
> >              -e MYSQL_DATABASE=db \
> >              -e MYSQL_USER=user \
> >              -e MYSQL_PASSWORD=foo \
> >              -e MYSQL_ROOT_PASSWORD=rootpasswd \
> >              -d centos/mariadb-100-centos7 mysqld-master
> >
> >   docker run -e MYSQL_MASTER_USER=master \
> >              -e MYSQL_MASTER_PASSWORD=master \
> >              -e MYSQL_DATABASE=db \
> >              -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \
> >              -d centos/mariadb-100-centos7 mysqld-slave
> >
> > More info about the image available here:
> > https://hub.docker.com/r/centos/mariadb-100-centos7/
> >
> > As said above, any feedback welcome :)
> >
> > Honza
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~maria-discuss
> > Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~maria-discuss
> > More help   : https://help.launchpad.net/ListHelp